What do data protection experts rely on? Report from the International Congress of Cybersecurity
On June 20-21, the International Congress on Cybersecurity was held in Moscow . Following the event, visitors could draw the following conclusions:
- digital illiteracy is spreading both among users and among cybercriminals themselves;
- the former continue to fall for phishing, open dangerous links, bring malware to personal networks from personal smartphones;
- among the second, there are more and more newcomers who are chasing easy money without diving into technology - they downloaded the botnet in the darkweb, set up automation and monitor the balance of the wallet;
- security guards have to rely on advanced analytics, without which it is very easy to see the threat in the information noise.
Congress was held at the World Trade Center. The choice of site is explained by the fact that this is one of the few facilities with FSO approval for events with the highest ranks of the country. Visitors to the Congress could hear speeches by the Minister of Digital Development Konstantin Noskov, the head of the Central Bank Elvira Nabiullina, the president of Sberbank German Gref. The international audience was represented by Huawei CEO in Russia Aiden Wu, retired Europol director Jürgen Storbeck, president of the German Cybersecurity Council Hans-Wilhelm Dünn and other senior experts.
Is the patient more likely alive?
The organizers selected topics that were suitable for both general discussions and practically oriented reports on technical issues. Most of the speeches mentioned artificial intelligence in one way or another - to the credit of the speakers, often they themselves admitted that in the current incarnation this is more a “hype topic” than a really working technology stack. At the same time, without machine learning and Data Science today it is difficult to imagine the protection of a large corporate infrastructure.
It is possible to detect an attack on average three months after penetrating the infrastructure.Because one signature does not stop 300 thousand new malware that appears on the Web every day (according to Kaspersky Lab). And on average, cybersecurity takes three months to detect cybercriminals on their network. During this time, crackers manage to gain a foothold in the infrastructure so that they have to be kicked out three or four times. The storages were cleaned - the malware returned through a vulnerable remote connection. They established network security - criminals send an employee a letter with a trojan, allegedly from a long-time business partner, whom they also managed to compromise. And so to the bitter end, no matter who eventually prevails.
A and B built IB
On this basis, two parallel directions of information security are growing rapidly: ubiquitous control over the infrastructure based on cyber security centers (Security Operations Center, SOC) and detection of malicious activity through abnormal behavior. Many speakers, for example, Trend Micro Vice President Asia Pacific, Middle East, and Africa, Dhanya Thakkar, urge administrators to assume that they have been hacked so as not to miss suspicious events, no matter how insignificant they may seem.
IBM on a typical SOC project: “First, design the future service model, then implement it, and only then deploy the necessary technical systems.”
Hence the growing popularity of SOCs, which cover all sections of the infrastructure and in time report on the sudden activity of some forgotten router. According to Gyorgy Racz, Director of IBM Security Systems in Europe, in recent years, the professional community has developed a certain idea of such regulatory structures, realizing that security technology alone cannot be achieved. Today's SOCs bring the IS service model to the company, allowing security systems to integrate into existing processes.
With you my sword and my bow and my ax
Business exists in conditions of personnel shortage - the market needs about 2 million information security specialists. This pushes companies to outsource the model. Even corporations often prefer to bring their own specialists to a separate legal entity - here you can recall SberTech, and its own integrator at Domodedovo Airport, and other examples. If you are not a giant in your industry, then you are more likely to contact someone like IBM to help you build your own security service. A significant part of the budget will be spent on restructuring processes to launch information security in the format of corporate services.
Leaked scandals from Facebook, Uber, and Equifax, a US credit bureau, raised IT security issues to the level of boards of directors. Therefore, CISO becomes a frequent participant in the meetings, and instead of a technological approach to security, companies use a business prism - to assess profitability, reduce risks, and lay straws. Yes, and countering cybercriminals is gaining an economic connotation - it is necessary to make an attack unprofitable so that the organization, in principle, does not interest crackers.
There are nuances
All these changes did not pass by the attackers who redirected efforts from corporations to private users. The numbers speak for themselves: according to BI.ZONE, in 2017-2018, the losses of Russian banks due to cyber attacks on their systems decreased by more than 10 times. On the other hand, incidents involving the use of social engineering in the same banks grew from 13% in 2014 to 79% in 2018. The
criminals felt the weak link in the corporate security perimeter that private users turned out to be. When one of the speakers asked to raise the hands of everyone with specialized anti-virus software on their smartphones, three out of several dozen responded.
In 2018, private users participated in every fifth security incident; 80% of attacks on banks were carried out using social engineering.
Modern users are spoiled for intuitive services that teach them to evaluate IT in terms of convenience. Security features that add a couple of extra steps are a distraction. As a result, the protected service loses to the competitor with prettier buttons, and attachments to phishing emails open without reading. It is worth noting that the new generation does not display the digital literacy attributed to it - the victims of attacks are getting younger every year, and the love of millennials for gadgets only expands the range of possible vulnerabilities.
Knock on man
Security today is fighting human laziness. Think about whether to open this file? Do I need to follow this link? Let this process sit in the sandbox, and once again you will appreciate everything. Machine learning tools constantly collect data on user behavior in order to develop safe practices that will not cause unnecessary inconvenience.
But what to do with a client who convinces an antifraud specialist to resolve a suspicious transaction, although he is directly told that the addressee’s account has been seen in fraudulent transactions (a real case from BI.ZONE practice)? How to protect users from intruders who can fake a call from the bank?
Eight out of ten social engineering attacks are over the phone.
It is telephone calls that become the main channel of malicious social engineering - in 2018, the share of such attacks increased from 27% to 83% percent, far surpassing SMS, social networks and email. Criminals create entire call centers for phoning with offers to earn money on the exchange or get money for participating in surveys. Many people find it difficult to take information critically when immediate decisions are required of them, promising an impressive reward for this.
The latest trend is fraud with loyalty programs, which robs the victim of miles accumulated over the years, free liters of gasoline and other bonuses. Proven classics, paid subscription to unnecessary mobile services, also does not lose relevance. In one of the reports, there was an example of a user who daily lost 8 thousand rubles due to such services. When asked why he was not bothered by the constantly melting balance, the man replied that he attributed everything to the greed of his provider.
Mobile devices blur the line between attacks on private and corporate users. For example, an employee may secretly search for a new job. He stumbles across the Internet on a service for preparing a resume, downloads an application or document template to a smartphone. So the attackers who launched the false online resource get on a personal gadget, from where they can move to the corporate network.
According to a speaker from Group-IB, it was precisely such an operation that the advanced group Lazarus carried out, which is spoken of as a North Korean intelligence unit. This is one of the most productive cybercriminals of recent years - they have accounted for the theft from the central bank of Bangladesh and Taiwan's largest bank FEIB , attacks on the cryptocurrency industryand even Sony Pictures . APT-groups (from the English advanced persistent threat, "persistent advanced threat"), the number of which over the past few years has grown to several dozen, get into the infrastructure seriously and for a long time, having previously studied all its features and weaknesses. This is how they manage to find out about career throwing of an employee who has access to the necessary information system.
Large organizations today are threatened by 100-120 especially dangerous cyber groups, one in five attacks companies in Russia.
The head of the Kaspersky Lab's threat research department Timur Biyachuev estimated the number of the most formidable groups at 100-120 communities, and there are several hundred of them now. Russian companies are threatened by about 20%. A significant proportion of criminals, especially from recently emerged groups, live in Southeast Asia.
APT communities can specifically create a software development company to cover their activities or compromise ASUS 'global update service to reach several hundred of their goals. Experts constantly monitor such groups, gathering together scattered evidence to determine the corporate identity of each of them. Such intelligence (threat intelligence) remains the best preventive weapon against cybercrime.
Whose will you be?
According to experts, criminals can easily change tools and tactics, write new malware and discover new attack vectors. The same Lazarus in one of the campaigns placed Russian-speaking words in the code in order to direct the investigation in a false trail. However, the behavior pattern itself is much more difficult to change; therefore, specialists can, by characteristic features, assume who carried out this or that attack. Here they are again helped by big data and machine learning technologies that separate the grain from the chaff in the information gathered by monitoring information.
Congress speakers spoke about the problem of attribution, or determining the identity of attackers, more than once or twice. Both technological and legal issues are associated with these tasks. Say, do criminals fall under the protection of personal data legislation? Of course, yes, which means that sending information about campaign organizers is possible only in anonymous form. This imposes some restrictions on the data exchange processes within the professional information security community.
Schoolchildren and hooligans, customers of clandestine hacker shops, also complicate the investigation of incidents. The threshold for entering the cybercrime industry has decreased to such an extent that the ranks of malicious actors tend to infinity - you won’t count them all.
It is easy to fall into despair at the thought of employees who, with their own hands, put a backdoor to the financial system, but there are also positive trends. The growing popularity of open source increases software transparency and simplifies the fight against malicious code injections. Data Science experts are creating new algorithms that block unwanted actions when they show signs of malicious intent. Experts are trying to bring the mechanics of security systems closer to the functioning of the human brain, so that protective equipment uses intuition along with empirical methods. Deep learning technologies allow such systems to evolve independently on cyberattack models.
Skoltech: “Artificial intelligence is in fashion, and that's good. In fact, it’s still very long to go, and it’s even better. ”
As Grigory Kabatyansky, Advisor to the Rector of the Skolkovo Institute of Science and Technology, reminded the audience, such developments cannot be called artificial intelligence. Real AI can not only accept tasks from humans, but also set them independently. Before the advent of such systems, which will inevitably take their place among the shareholders of large corporations, a few decades.
In the meantime, humanity is working with machine learning technologies and neural networks, which academics talked about in the middle of the last century. Skoltech researchers use predictive modeling to work with the Internet of things, mobile networks and wireless communications, medical and financial solutions. In some areas, advanced analytics is struggling with the threat of technological disasters and network performance issues. In others, it suggests options for solving existing and hypothetical problems, solves problems such as revealing hidden messages in seemingly harmless carriers.
Training on cats
Igor Lyapunov, Vice President for Information Security at Rostelecom PJSC, sees the fundamental problem of machine learning in information security as a lack of material for smart systems. Neural networks can be taught to recognize a cat by showing thousands of photos with this animal. Where to get thousands of cyberattacks to cite as an example?
Today's proto-AI helps to search for traces of criminals in the darknet and analyze already detected malware. Antifraud, anti-money laundering, partly identifying vulnerabilities in the code - all this can also be done by automated means. The rest can be attributed to the marketing projects of software developers, and this will not change in the next 5-10 years.